This is a place for me to ruminate about Privacy. Since I work as Google's Global Privacy Counsel, I need to point out that these ruminations are mine, not Google's. Please don't attribute them to Google.

Monday, November 26, 2012

Should you cover your tracks from government snooping?

Most of us store a lot of stuff in the cloud. For example, most of us keep lots of old emails in the cloud, since storage is free, they're easily searchable, and it's always possible that those old emails could come in handy some day. In fact, there are a lot of practical reasons to keep stuff like old emails forever. Yet it's worth taking a moment to consider the risk that governments can access data that you choose to keep.

Governments are in a unique category, since they can simply pass laws to give themselves the rights to access data. Some of these laws are wildly out of date, and simply no longer fit for purpose, in particular the US law from 1986, called the Electronic Communications Privacy Act. For some years now, there have been many calls to Congress to update these laws. Perhaps the Petraeus scandal will give this movement new impetus, since the privacy debate usually advances only when abstract privacy concepts are given a human face and a story that people can empathize with. As a normal user of email, it's fair to ask whether there's any reasonable risk that a government would be interested in accessing my emails. After all, most of us are not Director of the CIA or cybercriminals. As a matter of civil liberties, it's important for everyone to have some sense of the balance between privacy and surveillance that the government has chosen. As a user, I want to know which governments are accessing data, and how often. I know that published metrics will be imperfect, but I want to have more transparency, so that I can make my own decisions, as a user and as a citizen. Seen from a global perspective, it's important to realize that most governments around the world are accessing user data. It's not just one or two governments. I can't count the number of times privacy advocates in Europe have warned users that the US government could potentially access their data in the cloud, without mentioning the risks that their own governments could do the same thing. In fact, to take the French example, the French government is trying to launch a "French cloud", explicitly to try to evade US government surveillance, even though this taxpayer-funded initiative is based on "bad assumptions about cloud computing and the Patriot Act", and even though France's own anti-terrorism law "has been said to make the Patriot Act look "namby-pamby by comparison", as reported on ZDNet. I think it's fair to assume that most people would be far more uncomfortable with foreign governments, rather than their own governments, accessing their data. That points to one of the hardest issues in the cloud, namely, that multiple governments can (and do) have the power to demand access to user data, if they follow appropriate legal procedures. In light of all this, I believe that it's an ethical imperative for companies that are entrusted with user data to publish statistics on governments' requests for access to user data. A number of web companies are now publishing data on all this, in addition to Google, which started this trend of reporting on governments' request for user data. I strongly encourage you to take a look at those statistics, which may challenge some of your long-held intuitions about which governments are most active in trying to access user data. Other companies have also started publishing statistics: Dropbox, LinkedIn, Sonic.net and Twitter But most companies are still not publishing any such statistics. A lot of companies are failing their users now. The Electronic Frontier Foundations ranked companies "When the government comes knocking, who has your back?" There are a lot of big names on that list doing very little to give their users transparency. In the meantime, as users, we all have to decide if we want to keep thousands of old emails in our inboxes in the cloud. It's free and convenient to keep them. Statistics published by some companies seem to confirm that the risks of governments seeking access to our data are extremely remote for "normal people". But the laws, like ECPA, that are meant to protect the privacy of our old emails are obsolete and full of holes. The choice is yours: keep or delete. I'm a pragmatist, and I'm not paranoid, but personally, I've gotten in the habit of deleting almost all my daily emails, except for those that I'd want to keep for the future. Like the rule at my tennis club: sweep the clay after you play.